elastic · ymao1 · Dec 12, 2022 · Dec 12, 2022 · Dec 12, 2022 · Dec 12, 2022
@@ -187,6 +187,25 @@ export interface AlertsHealth {
   };
 }
 
+export interface SummarizedAlertsWithAll {
+  new: {
+    count: number;
+    data: unknown[];
+  };
+  ongoing: {
+    count: number;
+    data: unknown[];
+  };
+  recovered: {
+    count: number;
+    data: unknown[];
+  };
+  all: {
+    count: number;
+    data: unknown[];
+  };
+}
+
 export interface ActionVariable {
   name: string;
   description: string;

diff --git a/x-pack/plugins/alerting/server/lib/process_alerts.ts b/x-pack/plugins/alerting/server/lib/process_alerts.ts
@@ -20,6 +20,7 @@ interface ProcessAlertsOpts<
   previouslyRecoveredAlerts: Record<string, Alert<State, Context>>;
   hasReachedAlertLimit: boolean;
   alertLimit: number;
+  autoRecoverAlerts: boolean;
   // flag used to determine whether or not we want to push the flapping state on to the flappingHistory array
   setFlapping: boolean;
 }
@@ -47,6 +48,7 @@ export function processAlerts<
   previouslyRecoveredAlerts,
   hasReachedAlertLimit,
   alertLimit,
+  autoRecoverAlerts,
   setFlapping,
 }: ProcessAlertsOpts<State, Context>): ProcessAlertsResult<
   State,
@@ -62,7 +64,13 @@ export function processAlerts<
         alertLimit,
         setFlapping
       )
-    : processAlertsHelper(alerts, existingAlerts, previouslyRecoveredAlerts, setFlapping);
+    : processAlertsHelper(
+        alerts,
+        existingAlerts,
+        previouslyRecoveredAlerts,
+        autoRecoverAlerts,
+        setFlapping
+      );
 }
 
 function processAlertsHelper<
@@ -74,6 +82,7 @@ function processAlertsHelper<
   alerts: Record<string, Alert<State, Context>>,
   existingAlerts: Record<string, Alert<State, Context>>,
   previouslyRecoveredAlerts: Record<string, Alert<State, Context>>,
+  autoRecoverAlerts: boolean,
   setFlapping: boolean
 ): ProcessAlertsResult<State, Context, ActionGroupIds, RecoveryActionGroupId> {
   const existingAlertIds = new Set(Object.keys(existingAlerts));
@@ -123,7 +132,7 @@ function processAlertsHelper<
             updateAlertFlappingHistory(activeAlerts[id], false);
           }
         }
-      } else if (existingAlertIds.has(id)) {
+      } else if (existingAlertIds.has(id) && autoRecoverAlerts) {
         recoveredAlerts[id] = alerts[id];
         currentRecoveredAlerts[id] = alerts[id];
 

diff --git a/x-pack/plugins/alerting/server/plugin.ts b/x-pack/plugins/alerting/server/plugin.ts
@@ -335,6 +335,8 @@ export class AlertingPlugin {
         ruleType.cancelAlertsOnRuleTimeout =
           ruleType.cancelAlertsOnRuleTimeout ?? this.config.cancelAlertsOnRuleTimeout;
         ruleType.doesSetRecoveryContext = ruleType.doesSetRecoveryContext ?? false;
+        ruleType.autoRecoverAlerts =
+          ruleType.autoRecoverAlerts === undefined ? true : ruleType.autoRecoverAlerts;
         ruleTypeRegistry.register(ruleType);
       },
       getSecurityHealth: async () => {

@@ -14,7 +14,7 @@ import { ExecuteOptions as EnqueueExecutionOptions } from '@kbn/actions-plugin/s
 import { ActionsClient } from '@kbn/actions-plugin/server/actions_client';
 import { chunk } from 'lodash';
 import { AlertingEventLogger } from '../lib/alerting_event_logger/alerting_event_logger';
-import { parseDuration, RawRule, ThrottledActions } from '../types';
+import { GetRuleUrlFnOpts, parseDuration, RawRule, ThrottledActions } from '../types';
 import { RuleRunMetricsStore } from '../lib/rule_run_metrics_store';
 import { injectActionParams } from './inject_action_params';
 import { ExecutionHandlerOptions, RuleTaskInstance } from './types';
@@ -201,7 +201,7 @@ export class ExecutionHandler<
           if (isSummaryActionPerRuleRun(action) && !this.hasAlerts(alerts)) {
             continue;
           }
-          const summarizedAlerts = await this.getSummarizedAlerts({
+          const { startMs, endMs, summarizedAlerts } = await this.getSummarizedAlerts({
             action,
             spaceId,
             ruleId,
@@ -222,7 +222,13 @@ export class ExecutionHandler<
                 actionsPlugin,
                 actionTypeId,
                 kibanaBaseUrl: this.taskRunnerContext.kibanaBaseUrl,
-                ruleUrl: this.buildRuleUrl(spaceId),
+                ruleUrl: this.buildRuleUrl({
+                  id: ruleId,
+                  spaceId,
+                  params: this.rule.params,
+                  startMs,
+                  endMs,
+                }),
               }),
             }),
           };
@@ -267,7 +273,11 @@ export class ExecutionHandler<
                 kibanaBaseUrl: this.taskRunnerContext.kibanaBaseUrl,
                 alertParams: this.rule.params,
                 actionParams: action.params,
-                ruleUrl: this.buildRuleUrl(spaceId),
+                ruleUrl: this.buildRuleUrl({
+                  id: ruleId,
+                  spaceId,
+                  params: this.rule.params,
+                }),
                 flapping: executableAlert.getFlapping(),
               }),
             }),
@@ -401,7 +411,24 @@ export class ExecutionHandler<
     return alert.getScheduledActionOptions()?.actionGroup || this.ruleType.recoveryActionGroup.id;
   }
 
-  private buildRuleUrl(spaceId: string): string | undefined {
+  private buildRuleUrl({
+    id,
+    params,
+    spaceId,
+    startMs,
+    endMs,
+  }: GetRuleUrlFnOpts<Params>): string | undefined {
+    // Use the rule type's getRuleUrl callback if defined
+    // This does not necessarily require `kibanaBaseUrl` to be defined
+    const ruleTypeUrl = this.ruleType.getRuleUrl
+      ? this.ruleType?.getRuleUrl({ id, params, spaceId, startMs, endMs })
+      : null;
+
+    if (ruleTypeUrl) {
+      return ruleTypeUrl;
+    }
+
+    // Fallback to generic rule urle
     if (!this.taskRunnerContext.kibanaBaseUrl) {
       return;
     }
@@ -543,13 +570,35 @@ export class ExecutionHandler<
     const alerts = await this.ruleType.getSummarizedAlerts!(options);
 
     const total = alerts.new.count + alerts.ongoing.count + alerts.recovered.count;
-    return {
+    const summarizedAlerts = {
       ...alerts,
       all: {
         count: total,
         data: [...alerts.new.data, ...alerts.ongoing.data, ...alerts.recovered.data],
       },
     };
+
+    if (summarizedAlerts.all.count > 0) {
+      // get the time bounds for this alert array
+      const timestampMillis: number[] = summarizedAlerts.all.data
+        .map((alert: unknown) => {
+          const timestamp = (alert as { '@timestamp': string })['@timestamp'];
+          if (timestamp) {
+            return new Date(timestamp).valueOf();
+          }
+          return null;
+        })
+        .filter((timeInMillis: number | null) => null != timeInMillis)
+        .sort() as number[];
+
+      return {
+        startMs: timestampMillis[0],
+        endMs: timestampMillis[timestampMillis.length - 1],
+        summarizedAlerts,
+      };
+    }
+
+    return { summarizedAlerts };
   }
 
   private async actionRunOrAddToBulk({

diff --git a/x-pack/plugins/alerting/server/task_runner/task_runner.ts b/x-pack/plugins/alerting/server/task_runner/task_runner.ts
@@ -49,6 +49,7 @@ import {
   RuleTypeState,
   parseDuration,
   WithoutReservedActionGroups,
+  RawAlertInstance,
 } from '../../common';
 import { NormalizedRuleType, UntypedNormalizedRuleType } from '../rule_type_registry';
 import { getEsErrorMessage } from '../lib/errors';
@@ -415,6 +416,8 @@ export class TaskRunner<
           previouslyRecoveredAlerts: originalRecoveredAlerts,
           hasReachedAlertLimit,
           alertLimit: this.maxAlerts,
+          autoRecoverAlerts:
+            this.ruleType.autoRecoverAlerts !== undefined ? this.ruleType.autoRecoverAlerts : true,
           setFlapping: true,
         });
 
@@ -479,12 +482,20 @@ export class TaskRunner<
       }
     });
 
-    const { alertsToReturn, recoveredAlertsToReturn } = determineAlertsToReturn<
-      State,
-      Context,
-      ActionGroupIds,
-      RecoveryActionGroupId
-    >(activeAlerts, recoveredAlerts);
+    let alertsToReturn: Record<string, RawAlertInstance> = {};
+    let recoveredAlertsToReturn: Record<string, RawAlertInstance> = {};
+
+    // Only serialize alerts into task state if we're auto-recovering, otherwise
+    // we don't need to keep this information around.
+    if (this.ruleType.autoRecoverAlerts) {
+      const { alertsToReturn: alerts, recoveredAlertsToReturn: recovered } =
+        determineAlertsToReturn<State, Context, ActionGroupIds, RecoveryActionGroupId>(
+          activeAlerts,
+          recoveredAlerts
+        );
+      alertsToReturn = alerts;
+      recoveredAlertsToReturn = recovered;
+    }
 
     return {
       metrics: ruleRunMetricsStore.getMetrics(),

@@ -12,6 +12,7 @@ import {
   AlertInstanceContext,
   RuleTypeParams,
   SanitizedRule,
+  SummarizedAlertsWithAll,
 } from '../types';
 
 interface TransformActionParamsOptions {
@@ -35,25 +36,6 @@ interface TransformActionParamsOptions {
   flapping: boolean;
 }
 
-interface SummarizedAlertsWithAll {
-  new: {
-    count: number;
-    data: unknown[];
-  };
-  ongoing: {
-    count: number;
-    data: unknown[];
-  };
-  recovered: {
-    count: number;
-    data: unknown[];
-  };
-  all: {
-    count: number;
-    data: unknown[];
-  };
-}
-
 export function transformActionParams({
   actionsPlugin,
   alertId,
@@ -140,6 +122,15 @@ export function transformSummaryActionParams({
   const variables = {
     kibanaBaseUrl,
     date: new Date().toISOString(),
+    // For backwards compatibility with security solutions rules
+    context: {
+      alerts: alerts.new.data,
+      results_link: ruleUrl,
+      rule: rule.params,
+    },
+    state: {
+      signals_count: alerts.new.count,
+    },
     rule: {
       params: rule.params,
       id: rule.id,

@@ -152,6 +152,16 @@ export interface SummarizedAlerts {
 }
 export type GetSummarizedAlertsFn = (opts: GetSummarizedAlertsFnOpts) => Promise<SummarizedAlerts>;
 
+export interface GetRuleUrlFnOpts<Params extends RuleTypeParams> {
+  id: string;
+  params: Params;
+  spaceId: string;
+  startMs?: number;
+  endMs?: number;
+}
+export type GetRuleUrlFn<Params extends RuleTypeParams> = (
+  opts: GetRuleUrlFnOpts<Params>
+) => string | null;
 export interface RuleType<
   Params extends RuleTypeParams = never,
   ExtractedParams extends RuleTypeParams = never,
@@ -197,6 +207,13 @@ export interface RuleType<
   cancelAlertsOnRuleTimeout?: boolean;
   doesSetRecoveryContext?: boolean;
   getSummarizedAlerts?: GetSummarizedAlertsFn;
+  getRuleUrl?: GetRuleUrlFn<Params>;
+
+  /**
+   * Determines whether framework should
+   * automatically make recovery determination. Defaults to true.
+   */
+  autoRecoverAlerts?: boolean;
 }
 export type UntypedRuleType = RuleType<
   RuleTypeParams,